Windows 2000 - EFS keeps your files secure on the road

As long as you feed Windows 2000 a good dollop of RAM (aim for 256MB if your budget allows it), you should be very pleased with the operating system on your portable. However, portables are inherently "nickable" so it pays to look into some form of protection for your files against prying eyes.

There are several steps that you can take to prevent unauthorised access to your files. First, ensure that the hard disk is formatted with NTFS, not FAT32. The small performance drop is worth it, as you'll gain improved security (as well as a degree of fault tolerance).

NTFS provides fine-grained permissions and access controls on files, and as long as you enforce long, non-obvious passwords, it might be enough to stave off unauthorised access by casual, non-techie intruders. Techie rogues will easily bypass NTFS security, however.

Clearly, you need to do more. Passwords in your applications (e.g., Microsoft Word or Excel) protect the files you're working with, but there are plenty of cracking programs available for these.

Encryption File System

Windows 2000 offers a middle way to protect your files: the Encryption File System (EFS). This is implemented as a set of kernel-mode drivers, and you can't bypass them to access the hard disk without going through the file system. EFS uses public-key cryptography with data encrypted by a randomly generated public key; data can only be decrypted with a user's private key, however.

Data is encrypted with the DESX mechanism, which is a 128-bit key variant of the US Government Data Encryption Standard (56-bit, and now cracked). 128-bit encryption can probably be cracked, but it requires substantial computing power and time to do so - there are approximately 3.4x1038 possible key combinations.

The advantages to EFS are that it's totally transparent to users, yet provides a relatively high level of security. It is tightly integrated with NTFS, using file system attributes to store the encryption keys. You can also publish public EFS keys within Active Directory, to make them available to other users.

EFS has a few caveats. It doesn't protect files copied to non-NTFS file volumes, nor does it encrypt files sent across a network. You should also never attempt to encrypt system files - the EFS driver isn't loaded until after boot-up, so your system would be inaccessible if the system files were encrypted (as a protective measure, EFS refuses to encrypt files with the System attribute set). Finally, you must use cut-and-paste for moving files, not drag-and-drop, to ensure the files stay encrypted when you move them.

EFS is very easy to use. First, remember that you should encrypt folders, not individual files - Microsoft's Best Practices for EFS document advises folder-level encryption as the best way to ensure that files are not decrypted unexpectedly. Once you've selected the folder to encrypt (My Documents is a good candidate, and perhaps also the temp folder), simply right-click on the folder icon, select Properties-General and click the Advanced button; in the dialogue that pops up, tick the "Encrypt contents for enhanced security" box.

When you exit the dialogue box, Windows 2000 will start the encryption process. Once the encryption is finished, the files cannot be accessed, copied or deleted by anyone apart from the user who encrypted them (although see caveats above). All files added to the folder will be encrypted transparently. To remove encryption, click on the encrypted file or folder, and remove the tick in the "Encrypt contents." box.

There is also a command-line utility, cipher.exe, which can be used in batch files, but it's not necessary for basic encryption work.

Forgot the password?

What do you do if you have forgotten the user password, but need access to the encrypted files? Luckily, Windows 2000 creates a certificate by default, which sets the Administrator account as the Encrypted Data Recover Agent. You access the EDRA through the Microsoft Management Console (e.g., by clicking on Start-Run and typing in mmc /c).

The EDRA can also be assigned to an account other than Administrator, if you wish. It's worth exporting the certificate and private key to a securely kept floppy disk, in case you need to shift or restore the files to a new computer.

To recover encrypted data, simply log on as the Administrator (or the account designated for EDRA), fire up Explorer and clear the "Encrypt contents." box as above. If you don't want EFS at all on your computer, delete the EDRA certificate to disable it. To prevent abuse, EFS is unavailable without an EDRA certificate.

PCW Evaluation Team

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited. Copyright 2013 IDG Communications.
ABN 14 001 592 650. All rights reserved.